Search in sources :

Example 6 with X509ByteExtensionWrapper

use of org.candlepin.pki.X509ByteExtensionWrapper in project candlepin by candlepin.

the class BouncyCastlePKIUtility method createX509Certificate.

@Override
public X509Certificate createX509Certificate(String dn, Set<X509ExtensionWrapper> extensions, Set<X509ByteExtensionWrapper> byteExtensions, Date startDate, Date endDate, KeyPair clientKeyPair, BigInteger serialNumber, String alternateName) throws GeneralSecurityException, IOException {
    X509Certificate caCert = reader.getCACert();
    byte[] publicKeyEncoded = clientKeyPair.getPublic().getEncoded();
    X509v3CertificateBuilder certGen = new X509v3CertificateBuilder(X500Name.getInstance(caCert.getSubjectX500Principal().getEncoded()), serialNumber, startDate, endDate, new X500Name(dn), SubjectPublicKeyInfo.getInstance(publicKeyEncoded));
    // set key usage - required for proper x509 function
    KeyUsage keyUsage = new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment);
    // add SSL extensions - required for proper x509 function
    NetscapeCertType certType = new NetscapeCertType(NetscapeCertType.sslClient | NetscapeCertType.smime);
    certGen.addExtension(MiscObjectIdentifiers.netscapeCertType, false, certType);
    certGen.addExtension(Extension.keyUsage, false, keyUsage);
    JcaX509ExtensionUtils extensionUtil = new JcaX509ExtensionUtils();
    AuthorityKeyIdentifier aki = extensionUtil.createAuthorityKeyIdentifier(caCert);
    certGen.addExtension(Extension.authorityKeyIdentifier, false, aki.getEncoded());
    certGen.addExtension(Extension.subjectKeyIdentifier, false, subjectKeyWriter.getSubjectKeyIdentifier(clientKeyPair, extensions));
    certGen.addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage(KeyPurposeId.id_kp_clientAuth));
    // Add an additional alternative name if provided.
    if (alternateName != null) {
        /*
             Why add the certificate subject again as an alternative name?  RFC 6125 Section 6.4.4
             stipulates that if SANs are provided, a validator MUST use them instead of the certificate
             subject.  If no SANs are present, the RFC allows the validator to use the subject field.  So,
             if we do have an SAN to add, we need to add the subject field again as an SAN.

             See http://stackoverflow.com/questions/5935369 and
             https://tools.ietf.org/html/rfc6125#section-6.4.4 and

             NB: These extensions should *not* be marked critical since the subject field is not empty.
            */
        GeneralName subject = new GeneralName(GeneralName.directoryName, dn);
        GeneralName name = new GeneralName(GeneralName.directoryName, "CN=" + alternateName);
        ASN1Encodable[] altNameArray = { subject, name };
        GeneralNames altNames = GeneralNames.getInstance(new DERSequence(altNameArray));
        certGen.addExtension(Extension.subjectAlternativeName, false, altNames);
    }
    if (extensions != null) {
        for (X509ExtensionWrapper wrapper : extensions) {
            // Bouncycastle hates null values. So, set them to blank
            // if they are null
            String value = wrapper.getValue() == null ? "" : wrapper.getValue();
            certGen.addExtension(wrapper.toASN1Primitive(), wrapper.isCritical(), new DERUTF8String(value));
        }
    }
    if (byteExtensions != null) {
        for (X509ByteExtensionWrapper wrapper : byteExtensions) {
            // Bouncycastle hates null values. So, set them to blank
            // if they are null
            byte[] value = wrapper.getValue() == null ? new byte[0] : wrapper.getValue();
            certGen.addExtension(wrapper.toASN1Primitive(), wrapper.isCritical(), new DEROctetString(value));
        }
    }
    JcaContentSignerBuilder builder = new JcaContentSignerBuilder(SIGNATURE_ALGO).setProvider(BC_PROVIDER);
    ContentSigner signer;
    try {
        signer = builder.build(reader.getCaKey());
    } catch (OperatorCreationException e) {
        throw new IOException(e);
    }
    // Generate the certificate
    return new JcaX509CertificateConverter().getCertificate(certGen.build(signer));
}
Also used : JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder) ContentSigner(org.bouncycastle.operator.ContentSigner) KeyUsage(org.bouncycastle.asn1.x509.KeyUsage) ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage) AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier) X500Name(org.bouncycastle.asn1.x500.X500Name) DEROctetString(org.bouncycastle.asn1.DEROctetString) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) DEROctetString(org.bouncycastle.asn1.DEROctetString) DERSequence(org.bouncycastle.asn1.DERSequence) GeneralNames(org.bouncycastle.asn1.x509.GeneralNames) X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder) NetscapeCertType(org.bouncycastle.asn1.misc.NetscapeCertType) JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter) X509ByteExtensionWrapper(org.candlepin.pki.X509ByteExtensionWrapper) X509ExtensionWrapper(org.candlepin.pki.X509ExtensionWrapper) GeneralName(org.bouncycastle.asn1.x509.GeneralName) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException) ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage)

Example 7 with X509ByteExtensionWrapper

use of org.candlepin.pki.X509ByteExtensionWrapper in project candlepin by candlepin.

the class DefaultEntitlementCertServiceAdapterTest method testSpecificLargeContent.

@Test
public void testSpecificLargeContent() throws IOException {
    Set<Product> products = new HashSet<>();
    products.add(largeContentProduct);
    largeContentProduct.setProductContent(null);
    for (Content content : largeContent) {
        largeContentProduct.addContent(content, false);
    }
    consumer.setFact("system.certificate_version", "3.3");
    Set<X509ByteExtensionWrapper> byteExtensions = certServiceAdapter.prepareV3ByteExtensions(product, getProductModels(product, products, "prefix", largeContentEntitlement), "prefix", null);
    Map<String, X509ByteExtensionWrapper> byteMap = new HashMap<>();
    for (X509ByteExtensionWrapper ext : byteExtensions) {
        byteMap.put(ext.getOid(), ext);
    }
    assertTrue(byteMap.containsKey("1.3.6.1.4.1.2312.9.7"));
    List<String> contentSetList = new ArrayList<>();
    try {
        contentSetList = v3extensionUtil.hydrateContentPackage(byteMap.get("1.3.6.1.4.1.2312.9.7").getValue());
    } catch (Exception e) {
        throw new RuntimeException(e);
    }
    assertEquals(largeContent.size(), contentSetList.size());
    for (String url : largeTestUrls) {
        assertTrue(contentSetList.contains("/prefix" + url));
    }
    List<String> testList = Arrays.asList(largeTestUrls);
    for (String url : contentSetList) {
        assertTrue(testList.contains(url.substring(7)));
    }
}
Also used : HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) Product(org.candlepin.model.Product) Matchers.anyString(org.mockito.Matchers.anyString) CertificateExpiredException(java.security.cert.CertificateExpiredException) GeneralSecurityException(java.security.GeneralSecurityException) UnsupportedEncodingException(java.io.UnsupportedEncodingException) ExpectedException(org.junit.rules.ExpectedException) CertificateSizeException(org.candlepin.util.CertificateSizeException) IOException(java.io.IOException) ProductContent(org.candlepin.model.ProductContent) Content(org.candlepin.model.Content) EnvironmentContent(org.candlepin.model.EnvironmentContent) X509ByteExtensionWrapper(org.candlepin.pki.X509ByteExtensionWrapper) HashSet(java.util.HashSet) Test(org.junit.Test)

Example 8 with X509ByteExtensionWrapper

use of org.candlepin.pki.X509ByteExtensionWrapper in project candlepin by candlepin.

the class DefaultEntitlementCertServiceAdapterTest method testSingleSegmentContent.

@Test
public void testSingleSegmentContent() throws IOException {
    Set<Product> products = new HashSet<>();
    products.add(largeContentProduct);
    largeContentProduct.setProductContent(null);
    largeContentProduct.addContent(createContent(CONTENT_NAME, CONTENT_ID, CONTENT_LABEL, CONTENT_TYPE, CONTENT_VENDOR, "/single", CONTENT_GPG_URL, ARCH_LABEL), false);
    consumer.setFact("system.certificate_version", "3.3");
    Set<X509ByteExtensionWrapper> byteExtensions = certServiceAdapter.prepareV3ByteExtensions(product, getProductModels(product, products, "", largeContentEntitlement), "", null);
    Map<String, X509ByteExtensionWrapper> byteMap = new HashMap<>();
    for (X509ByteExtensionWrapper ext : byteExtensions) {
        byteMap.put(ext.getOid(), ext);
    }
    assertTrue(byteMap.containsKey("1.3.6.1.4.1.2312.9.7"));
    List<String> contentSetList = new ArrayList<>();
    try {
        contentSetList = v3extensionUtil.hydrateContentPackage(byteMap.get("1.3.6.1.4.1.2312.9.7").getValue());
    } catch (Exception e) {
        throw new RuntimeException(e);
    }
    assertTrue(contentSetList.contains("/single"));
}
Also used : HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) Product(org.candlepin.model.Product) X509ByteExtensionWrapper(org.candlepin.pki.X509ByteExtensionWrapper) Matchers.anyString(org.mockito.Matchers.anyString) CertificateExpiredException(java.security.cert.CertificateExpiredException) GeneralSecurityException(java.security.GeneralSecurityException) UnsupportedEncodingException(java.io.UnsupportedEncodingException) ExpectedException(org.junit.rules.ExpectedException) CertificateSizeException(org.candlepin.util.CertificateSizeException) IOException(java.io.IOException) HashSet(java.util.HashSet) Test(org.junit.Test)

Example 9 with X509ByteExtensionWrapper

use of org.candlepin.pki.X509ByteExtensionWrapper in project candlepin by candlepin.

the class DefaultEntitlementCertServiceAdapter method createX509Certificate.

// TODO: productModels not used by V1 certificates. This whole v1/v3 split needs
// a re-org. Passing them here because it eliminates a substantial performance hit
// recalculating this for the entitlement body in v3 certs.
public X509Certificate createX509Certificate(Consumer consumer, Owner owner, Pool pool, Entitlement ent, Product product, Set<Product> products, List<org.candlepin.model.dto.Product> productModels, BigInteger serialNumber, KeyPair keyPair, boolean useContentPrefix) throws GeneralSecurityException, IOException {
    // oidutil is busted at the moment, so do this manually
    Set<X509ExtensionWrapper> extensions;
    Set<X509ByteExtensionWrapper> byteExtensions = new LinkedHashSet<>();
    products.add(product);
    Map<String, EnvironmentContent> promotedContent = getPromotedContent(consumer);
    String contentPrefix = getContentPrefix(consumer, owner, useContentPrefix);
    if (shouldGenerateV3(consumer)) {
        extensions = prepareV3Extensions();
        byteExtensions = prepareV3ByteExtensions(product, productModels, contentPrefix, promotedContent);
    } else {
        extensions = prepareV1Extensions(products, pool, consumer, ent.getQuantity(), contentPrefix, promotedContent);
    }
    Date endDate = setupEntitlementEndDate(pool, consumer);
    ent.setEndDateOverride(endDate);
    Calendar calNow = Calendar.getInstance();
    Calendar calMinusHour = Calendar.getInstance();
    calMinusHour.add(Calendar.HOUR, -1);
    Date startDate = pool.getStartDate();
    if (pool.getStartDate().getTime() > calMinusHour.getTime().getTime() && pool.getStartDate().getTime() < calNow.getTime().getTime()) {
        startDate = calMinusHour.getTime();
    }
    X509Certificate x509Cert = this.pki.createX509Certificate(createDN(ent, owner), extensions, byteExtensions, startDate, endDate, keyPair, serialNumber, null);
    return x509Cert;
}
Also used : LinkedHashSet(java.util.LinkedHashSet) Calendar(java.util.Calendar) X509ByteExtensionWrapper(org.candlepin.pki.X509ByteExtensionWrapper) X509ExtensionWrapper(org.candlepin.pki.X509ExtensionWrapper) EnvironmentContent(org.candlepin.model.EnvironmentContent) Date(java.util.Date) X509Certificate(java.security.cert.X509Certificate)

Example 10 with X509ByteExtensionWrapper

use of org.candlepin.pki.X509ByteExtensionWrapper in project candlepin by candlepin.

the class DefaultContentAccessCertServiceAdapter method createX509Certificate.

public X509Certificate createX509Certificate(Consumer consumer, Owner owner, BigInteger serialNumber, KeyPair keyPair, Date startDate, Date endDate) throws GeneralSecurityException, IOException {
    // fake a product dto as a container for the org content
    org.candlepin.model.dto.Product container = new org.candlepin.model.dto.Product();
    org.candlepin.model.dto.Content dContent = new org.candlepin.model.dto.Content();
    List<org.candlepin.model.dto.Content> dtoContents = new ArrayList<>();
    dtoContents.add(dContent);
    Environment environment = this.environmentCurator.getConsumerEnvironment(consumer);
    dContent.setPath(getContentPrefix(owner, environment));
    container.setContent(dtoContents);
    Set<X509ExtensionWrapper> extensions = prepareV3Extensions();
    Set<X509ByteExtensionWrapper> byteExtensions = prepareV3ByteExtensions(container);
    X509Certificate x509Cert = this.pki.createX509Certificate(createDN(consumer, owner), extensions, byteExtensions, startDate, endDate, keyPair, serialNumber, null);
    return x509Cert;
}
Also used : ArrayList(java.util.ArrayList) Product(org.candlepin.model.Product) X509Certificate(java.security.cert.X509Certificate) Content(org.candlepin.model.Content) EnvironmentContent(org.candlepin.model.EnvironmentContent) Environment(org.candlepin.model.Environment) X509ByteExtensionWrapper(org.candlepin.pki.X509ByteExtensionWrapper) X509ExtensionWrapper(org.candlepin.pki.X509ExtensionWrapper)

Aggregations

X509ByteExtensionWrapper (org.candlepin.pki.X509ByteExtensionWrapper)10 IOException (java.io.IOException)6 ArrayList (java.util.ArrayList)6 HashMap (java.util.HashMap)6 EnvironmentContent (org.candlepin.model.EnvironmentContent)6 Product (org.candlepin.model.Product)6 UnsupportedEncodingException (java.io.UnsupportedEncodingException)5 GeneralSecurityException (java.security.GeneralSecurityException)5 CertificateExpiredException (java.security.cert.CertificateExpiredException)5 HashSet (java.util.HashSet)5 Content (org.candlepin.model.Content)5 CertificateSizeException (org.candlepin.util.CertificateSizeException)5 Test (org.junit.Test)5 ExpectedException (org.junit.rules.ExpectedException)5 Matchers.anyString (org.mockito.Matchers.anyString)5 ProductContent (org.candlepin.model.ProductContent)4 X509ExtensionWrapper (org.candlepin.pki.X509ExtensionWrapper)4 X509Certificate (java.security.cert.X509Certificate)3 LinkedHashSet (java.util.LinkedHashSet)3 Calendar (java.util.Calendar)1